DNS only entry redirects to HTTPS

I have 2 domains in Cloudflare. Let’s say domain 1 is example.com and domain 2 is example2.com
Both domains have the same SSL settings and both domains have an DNS entry pointing to an IP of 1 of my Linux servers. The Linux server runs a small private API. I can access the API with domain 1 (http://api.example.com:6050/) but I can’t on domain 2 (http://api.example2.com:6050/). It automatically redirects me to HTTPS which my server doesn’t support. I checked every setting to make sure everything is set up correctly and it is. The API DNS entry is also just an A record without proxy.

My settings:

  • SSL/TSL: Flexible

  • Always Use HTTPS: enabled (I also tried to disable it and it didnt changed anything. It also works on domain 1 with it enabled)

  • HSTS: disabled

  • Opportunistic Encryption: enabled

  • Automatic HTTPS Rewrites: enabled

  • No extra rules enabled

It should be the default settings

Hi HypedDomi,

Thanks for posting your question in Cloudflare Community :raised_hands:. My name is Ale, and I’m a Technical Support Engineer here at Cloudflare.

Reviewing your questions and statements from your post;

I can access the API with domain 1 (http://api.example.com:6050/ ) but I can’t on domain 2 (http://api.example2.com:6050/ )

Are both api.example.com and api.example2.com orange-clouded (not DNS-only proxied) in Cloudflare? I wouldn’t expect non-standard HTTP/HTTPS (40/443) ports to work as expected unless an Origin Rule and/or Spectrum are involved.

From our Dev Docs on Automatic HTTPS rewrites:

If your site contains links or references to HTTP URLs that are also available securely via HTTPS, Automatic HTTPS Rewrites can help.

You mentioned that HTTPS is not supported in your origin server, so I would turn this feature off.

Setting your SSL/TLS setting to Flexible means that only the traffic between visitors <–> Cloudflare uses HTTPS while the connection Cloudflare <–> Origin server remains in HTTP. If your origin server only supports HTTP, Flexible would be a compatible setting.

Thank you!

No. They’re DNS only. I can’t proxy them because I can’t proxy them because I can’t use ssh then.

Disable it for the whole domain or should i put it as rule for the api DNS entry?

If the DNS records are grey-clouded, no page rules or Automatic HTTPS rewrites will take effect, as they require them to be orange-clouded.

This means that if there is an HTTPS rewrite taking place, it might be happening at the origin server that is hosting http://api.example2.com:6050/. I’d suggest digging more into this.

2 Likes

This is a general issue and your whole site is still insecure.

Change that to Full Strict and make sure your server is properly configured.

Yeah thats fine. The main domain is linked to Vercel which has a SSL certificate.
And for the api DNS entry its fine when it only uses HTTP instead of HTTPS. It doesnt receive sensitive nor sends sensitive data

If it is not sensitive, just switch to Off and there won’t be an issue. Otherwise make sure you are on Full Strict.

Right now you have an insecure legacy mode which typically breaks sites.

I digged a bit around and found that Domain2 uses HSTS, although HSTS is disabled in Cloudflare. The domain is from Google Domains, and Google automatically enabled HSTS. I disabled it as soon as I switched the NS to Cloudflare. Is Google maybe still doing something?

image

Looks like you cant disable HSTS for the dev TLD. Thank you all for the help though

That is correct. That TLD is configured for HSTS by the registry, hence any compliant client will always use HTTPS. I am afraid you will have to use HTTPS in that case and cannot use HTTP. In that case make sure you are on Full Strict and have a proper certificate on the server.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.